ARTICLES

Securing Machine Identities

Growing up in the Sixties, I struggled to explain what my Dad did for a living. I’d usually just say that he had a PhD in something called computer science, and that he worked on making robots communicate. This seemed sufficient for the kids on the sandlot – which was good, because trying to explain my Dad’s early research on iterative arrays of machines probably wouldn’t have gone over well.

Two decades later, my Dad suggested that my own PhD research should focus on something called computer security (yes, the cyber designation came later). Before long, it was my own son who had trouble explaining what his Dad did for a living. I remember suggesting that he could tell the other kids that I secured how telecom robots talked, but I suspect that he just wisely changed the subject.

It should therefore come as no surprise that I would feel connected to companies who focus on securing machine identities. This area is essential to modern computing, because machines need to report and validate their identities when communicating, just like humans do when connecting to websites and apps. It’s surprising that such lopsided emphasis exists in our industry on protecting human identities versus their machine equivalent.

Now – my first introduction to Jeff Hudson, CEO of Venafi, came many years ago. I’d been directly involved in some early PKI-based infrastructure projects, including the pioneering GSA ACES program way back in 2000 (wow, time flies). When I learned at the time that Jeff’s team was protecting keys and certificates, which we now recognize as the underpinnings of machine identity, I knew he was onto something – and I became a customer.

Today, the Venafi team couldn’t be busier, because their pioneering work has converged with the burgeoning need to protect machine identities. The TAG Cyber team connected with Venafi recently to understand their progress and to gain insights from Jeff and his team on this important enterprise task of securing how machines report and validate their crypto-based identities. Below is a summary of what we learned:

“I remember telling you some time ago about how solutions at Venafi are essentially focused on securing machine identities,” Hudson said, “and it was impressive that you didn’t laugh. This is unlike some other advisory groups in our industry, who didn’t see the big picture at the time. Well, now they do – and enterprise IT and security teams are resonating with this idea that machine identities are just important as human ones – if not more so.”

We learned during our discussion that Venafi approaches this objective by focusing on five different aspects of the machine identity lifecycle. First, the team helps customers attend to machine identity tasks such as maintenance, updates, and avoidance of expiration for certificates. Everyone understands the importance of these tasks and how they require automated platform support to avoid outages and even data loss.

Second, the Venafi team helps DevOps teams simplify and accelerate use of cryptographic keys and certificates in the Agile development processes. The recent Venafi acquisition of UK-based Jetstack will assist in this regard. Jetstack is expert in helping enterprise developers utilize Kubernetes in modern, cloud-native infrastructure. They offer the community an open-source, native certificate management controller called cert-manager.

Third, the Venafi team assists with multi-cloud operations, with emphasis on ensuring that all SSL and TLS certificates are being properly managed for machine-to-machine authentication and secure communication. Organizations might have this function covered for one cloud service, such as with the AWS Certificate Manager. But extending this across multiple cloud services generally requires assistance – hence, support from Venafi.

Fourth, the Venafi team helps network operations and other enterprise teams properly manage their SSH keys. This security task typically requires support for discovery, rights management, privileged activity audit, and – of course, key rotation. The fifth area of focus at Venafi involves code signing, which will typically involve the enterprise software development and software lifecycle teams.

“There are many reasons enterprise groups should be focused on the security of their machine identities,” Hudson explained. “By working with our team, they can help to prevent certificate outages, streamline security operations, and safeguard the important steps involved in digital transformation. We’ve also helped customers address staffing challenges by automating tasks that previously required multiple individuals to perform.”

As analysts, we can see that securing machine identities is now resonating with enterprise teams. Enterprise teams are now realizing the value of investing to automate the management of their variety of machines and respective identities. Venafi’s innovative platform, powered by over 30 patents, coupled with real world expertise from the largest and most security conscious companies in the world, clearly provides an excellent solution.

It’s hard to imagine any enterprise of non-trivial size, scale, or scope that should not be engaged with a commercial partner to support enterprise-wide machine identity solutions. And while Venafi is obviously capable, there are many good options to include in your source selection. At TAG Cyber, we’ve reviewed, for example, the suite at Keyfactor and have found their offerings to be excellent. Enterprise security teams thus have good options.

In the end, it seems inevitable that this category of machine identity security will grow into a recognized area of enterprise security – and frankly, this may have occurred already. Venafi has evolved now to an enormous company with a large set of customers, which puts the company on track toward becoming one of our industry’s iconic brands. Such success stems both from advances in this category as well as great leadership from Jeff Hudson.

I hope you will take some time to review your own posture with respect to keys, certificates, and protection of machine identities. If you think your lifecycle process in this area could be improved, then contact the Venafi team and request more detailed information. I suspect that whether you are a small company or a large enterprise, you will benefit from time spent with this fine security solution provider.

As always, let us know what you learn – and please stay safe and secure.